Description
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17. This vulnerability was reported via the GitHub Bug Bounty program.
Published: 2026-06-30
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A UI misrepresentation flaw in GitHub Enterprise Server allowed an OAuth application to request the manage_runners:org scope without it appearing on the authorization consent screen. An attacker can create such an OAuth app, entice a victim user to authorize it, and thereby gain unrestricted control over the victim’s organization runners. This enables the attacker to add, modify, or delete runners, potentially leading to malicious workflow execution within the organization’s GitHub Actions environment.

Affected Systems

GitHub Enterprise Server versions prior to 3.22 are affected. The issue was addressed in release 3.21.2 for 3.21.x, 3.20.4 for 3.20.x, 3.19.8 for 3.19.x, 3.18.11 for 3.18.x, and 3.17.17 for 3.17.x.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack requires a human victim to authorize a malicious OAuth application, making the threat vector social engineering. While it does not grant immediate code execution, the ability to manage runners can be leveraged to run arbitrary code in the organization’s CI/CD pipeline, which is a significant risk when combined with other vulnerabilities.

Generated by OpenCVE AI on June 30, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub Enterprise Server to version 3.22 or above, or any of the patched releases 3.21.2, 3.20.4, 3.19.8, 3.18.11, or 3.17.17.
  • Revoke any existing OAuth access tokens that contain the manage_runners:org scope and review granted tokens for other unnecessary permissions.
  • Audit all organization OAuth applications to ensure they request only the minimum scopes required and remove any applications that were created previously and are no longer needed.

Generated by OpenCVE AI on June 30, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program. A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17. This vulnerability was reported via the GitHub Bug Bounty program.
References

Tue, 30 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed an OAuth application to gain unintended access to an organization's runner management. An attacker could exploit this by creating an OAuth application requesting the manage_runners:org scope and directing a victim user to authorize it, as the scope was not displayed on the authorization consent screen. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.22 and was fixed in versions 3.21.2, 3.20.4, 3.19.8, 3.18.11, 3.17.17, 3.16.20. This vulnerability was reported via the GitHub Bug Bounty program.
Title UI misrepresentation vulnerability in GitHub Enterprise Server allowed unauthorized organization runner management via undisclosed OAuth scope on consent screen
Weaknesses CWE-451
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_P

Published:

Updated: 2026-06-30T21:04:09.098Z

Reserved: 2026-05-20T17:12:51.109Z

Link: CVE-2026-9106

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:30:06Z

Weaknesses
  • CWE-451

    User Interface (UI) Misrepresentation of Critical Information